After the number of major data breaches in 2017, it wouldn’t be surprising to see some measure of data breach fatigue set in for both the general public and enterprises. Such an occurrence, however, would mean we missed valuable lessons from some of this year’s worst breaches.
First, a disclaimer: there have been too many major breaches and cyberattacks this year to count. Most infosec news sites, including SearchSecurity, can’t cover all of them. In fact, they may not get to most of them. Rampant nation-state hacking, global ransomware campaigns and a continuing series of baffling accidental data exposures have generated too much material to cover.
In addition, the scale and scope of damage has changed. So many names, email addresses and credit card numbers have been spilled over the last five years that it’s hard to get worked up about another breach that exposes information that is in all likelihood already on the dark web. Again, some level of data breach fatigue – or at least, acceptance – is to be expected.
What may have seemed like a major data breach five years ago might not even garner a second look today. An incident that exposes a few million customer usernames and email addresses might have stopped the presses back then, but today it barely registers as a speed bump.
That is, unless there are unique circumstances involved in these incidents, which should stave off data breach fatigue. We’ve witnessed several such breaches this year, and those unique circumstances should serve as lessons for both consumers and infosec professionals. Here’s a summary of those breaches.
- Equifax: The credit rating agency’s data breach exposed the names, birth dates, addresses and Social Security numbers of 143 million U.S. consumers, but that was only half the story. Equifax’s breach response was a series of confounding errors and missteps, from setting up an insecure website for consumers to check if they were affected or not, to an interim CEO who didn’t know whether consumers’ personal data had been encrypted following the breach. It’s easy to look at Equifax and see yet another major breach that exposed a lot of personal information that may have already been exposed in other, unrelated breaches. But that shouldn’t be the takeaway; breaches are bad, but they can be made even worse by incompetent responses and ill-prepared leadership that put customers and the organization at further risk.
- Uber: In 2016, the ride-sharing startup suffered a major breach that exposed the names, email addresses and phone numbers of 50 million users. On the surface, the incident doesn’t look like much – until you consider we didn’t learn about the breach until a year later. Uber officials concealed the incident and paid the hackers to stay quiet. It’s unclear why the breach was covered up – Uber fired two executives for their alleged involvement in the cover up – but the company has since been hit with a number of lawsuits from both users and state attorneys general. There are grave practical implications — If customers and employees don’t know an incident has occurred, then they obviously can’t do anything to protect themselves or their company – as well as ethical implications for this kind of corporate behavior. It’s impossible to know if it’s a common practice, but the Uber incident could be an indication that breach concealment is not as rare as we’d like to believe.
- Amazon Web Services (AWS) exposures: There have too many of these accidental breaches to list, which offers some idea of how dire the situation is. To summarize: Cybersecurity vendor UpGuard has been scanning the internet for publically accessible AWS Simple Storage Service (S3) instances and discovered that many of these S3 buckets were misconfigured. As a result, organizations ranging from the Pentagon to Dow Jones & Company have had their sensitive data exposed on the internet. Most experts agree these accidental breaches are the fault of the customers and not AWS (after all, S3 buckets are private by default). Unfortunately, the scale of the problem suggests enterprises are either suffering from a lack of proper access control knowledge or allowing untrained and ill-equipped personnel to spin up cloud services for sensitive data. Neither explanation speaks well of enterprise security, which is apparently struggling so mightily that some companies don’t even need hackers to expose their data – they’ll do it on their own.
These cases offer valuable lessons on breach response, ethics and prevention for enterprises and consumers alike. They should serve as potent remedies for data breach fatigue. And if these breach lessons aren’t heeded, then we’ll be doomed to repeat them for years to come.